1 files changed, 0 insertions, 112 deletions
diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix
deleted file mode 100644
index 56cfbf4..0000000
--- a/modules/www/tailnet.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-# NOTE: the tailnet virtual host and it's certificate management
-# has been mostly superseded by the `rnrd.fyi` domain, allowing
-# for both vastly simpler certificate requesting and subdomains,
-# which tailscale does not support for their magicdns product.
-{
-  me,
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi";
-
-  oneWeekInSeconds = 7 * 24 * 60 * 60;
-
-  tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
-    set -euxo pipefail
-
-    check_validity() {
-      pem=$1
-      ${pkgs.openssl}/bin/openssl x509 \
-    -checkend ${toString oneWeekInSeconds} \
-    -noout <$pem
-    }
-
-    try_renew() {
-      ${pkgs.tailscale}/bin/tailscale cert \
-    --cert-file certificates/fullchain.pem \
-    --key-file certificates/key.pem \
-    ${me.tailscale.domain}
-    }
-
-    cut_out_certificate_authority() {
-      fullchain=$1
-      buf=""
-      while read LINE; do
-    if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
-      buf=""
-    fi
-    buf="$buf$LINE"$'\n'
-      done < $fullchain
-      echo "$buf"
-    }
-
-    install_certificates() {
-      touch out/renewed
-      cp -vp 'certificates/fullchain.pem' out/fullchain.pem
-      cp -vp 'certificates/key.pem' out/key.pem
-      ln -sf fullchain.pem out/cert.pem
-      cat out/key.pem out/fullchain.pem > out/full.pem
-      cut_out_certificate_authority out/fullchain.pem > out/chain.pem
-      chown 'acme:nginx' out/*
-      chmod 640 out/*
-    }
-
-    if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
-      echo 1>&2 "attempting tailscale certificate renewal..."
-      if ! try_renew; then
-    echo 1>&2 "renewal failed :("
-    exit 1
-      fi
-      install_certificates
-      echo 1>&2 "successfully renewed certificate :)"
-    else
-      echo 1>&2 "renewal not yet necessary."
-    fi
-  '';
-
-in
-{
-  # overwrite default acme behaviour with tailscale
-  systemd.services."acme-${me.tailscale.domain}" = {
-    after = [ "tailscaled.service" ];
-    requires = [ "tailscaled.service" ];
-    serviceConfig = {
-      ExecStart = lib.mkForce "+${tailscaleRenewScript}";
-    };
-  };
-
-  # tailnet internal vhost
-  services.nginx.virtualHosts = {
-    # mostly superceded
-    tailnet = {
-      forceSSL = true;
-      enableACME = true;
-      serverName = me.tailscale.domain;
-      listenAddresses = [ me.tailscale.ip ];
-      # point to the default page, for now!
-      locations."/" = {
-        alias = "${config.services.nginx.virtualHosts.base.root}/";
-      };
-      extraConfig = ''
-        access_log /var/log/nginx/tailnet.access.log json_combined;
-      '';
-    };
-
-    # default page for the `rnrd.fyi` internal domain
-    ${rnrdInternalUrl} = {
-      useACMEHost = "rnrd.fyi";
-      forceSSL = true;
-      listenAddresses = [ me.tailscale.ip ];
-      locations."/" = {
-        alias = "${config.services.nginx.virtualHosts.base.root}/";
-      };
-      extraConfig = ''
-        access_log /var/log/nginx/tailnet.access.log json_combined;
-      '';
-    };
-  };
-}